Detecting Traffic From US Treasury Sanctioned Countries and Conflict Zones

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

This is the seventh post in a blog series describing how to build a Web Application Firewall (WAF) using the Apache .htaccess file and Project Honey Pot to help reduce spam traffic hitting your website. 

The Blue Plate WAF is for small websites on basic hosting plans that lack access to more sophisticated web security tools.  These basic plans are often used to host content management systems such as WordPress, Joomla, Drupal, or Typo3 which are ideal for a small organization.

This blog edition focuses on redirecting traffic coming from certain countries without using the traffic's IP address to determine the traffic's origin.  Determining an IP address's geo originating country requires automated tools and a subscription service because IP address block assignments are continuously updated.  Geo block subscriptions and tools can be costly or too complex for a small website and there are alternative options. 

We explore how to use REMOTE_HOST resolution, language detection through the HTTP:Accept-Language header, and referral detection through HTTP_REFERER header to determine where a user is from.

 

Remote Host Detection To Send Users from Specific Countries To Your Honeypot

Remote host detection through the .htaccess file can be used as an alternative or a supplement to IP address country identification.  The REMOTE_HOST attribute is populated by Apache with the fully qualified domain name (FQDN) of the remote user.  In the event Apache can't resolve the FQDN, it returns the value of REMOTE_ADDR (users IP Address).

The code below reads the REMOTE_HOST variable using the RewriteCond command. If a match is detected, the RewriteRule command virtually directs the user to your honey pot.  In this use case, the website owner wants to limit website traffic from U.S. Treasury sanctioned countries and countries involved conflicts.  These countries include Russian Collective Security Treaty Organization (CSTO) participating countries, Cuba, Venezuela, North Korea, Iran, Syria, and Yemen.

To determine the originating country of the traffic, RewriteCond is looking to see if the users FQDN resolves to a top-level country domain related to the countries that the website owner would like to limit.

 

 

##### Start -- Redirect Geo Conflict Hotspots To The Honeypot -- Start #####  

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{REMOTE_HOST} \.ru$ [NC,OR] #Russia 

RewriteCond %{REMOTE_HOST} \.am$ [NC,OR] #Armenia

RewriteCond %{REMOTE_HOST} \.by$ [NC,OR] #Belarus 

RewriteCond %{REMOTE_HOST} \.kz$ [NC,OR] #Kazakhstan

RewriteCond %{REMOTE_HOST} \.kg$ [NC,OR] #Kyrgyzstan

RewriteCond %{REMOTE_HOST} \.tj$ [NC,OR] #Tajikistan

RewriteCond %{REMOTE_HOST} \.cu$ [NC,OR] #Cuba

RewriteCond %{REMOTE_HOST} \.ve$ [NC,OR] #Venezuela

RewriteCond %{REMOTE_HOST} \.kp$ [NC,OR] #North Korea

RewriteCond %{REMOTE_HOST} \.ir$ [NC,OR] #Iran 

RewriteCond %{REMOTE_HOST} \.sy$ [NC,OR] #Syria

RewriteCond %{REMOTE_HOST} \.ye$ [NC] #Yemen

RewriteRule ^(.*)$ /honeypot.php/ [NC,L] 

##### End -- Redirect Geo Conflict Hotspots To The Honeypot -- End #####

 

 

Language Detection to Send Users from Specific Countries To Your Honeypot

Language detection through the .htaccess file can used as an alternative or a supplement to IP address country identification.  The HTTP:Accept-Language attribute is passed from a users web browser to identify their language and country configuration.   

We will start with the .htaccess file we created in the previous Detect Content Management System (CMS) Hacking Attempts blog. The new code we create will be built on to of all the previous blog posts and we will add the language detection capability.

The code below reads the HTTP:Accept-Language variable sent from the user's browser using the RewriteCond command. If a match is detected, the RewriteRule command virtually directs the user to your honey pot.  In this use case, the website owner wants to limit website traffic from U.S. Treasury sanctioned countries and countries involved conflicts. 

The web browser HTTP:Accept-Language variable values correspond to the ISO-639 language abbreviation and the ISO-3166 country code according to the W3C standard (https://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.10).

 

 

##### Start -- Redirect Geo Conflict Hotspots To The Honeypot -- Start #####  

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{HTTP:Accept-Language} ^ru [NC,OR] #Russia Russian

RewriteCond %{HTTP:Accept-Language} ^hy [NC,OR] #Armenia Armenian

RewriteCond %{HTTP:Accept-Language} ^be [NC,OR] #Belarus Belarusian

RewriteCond %{HTTP:Accept-Language} ^kk [NC,OR] #Kazakhstan Kazakh

RewriteCond %{HTTP:Accept-Language} ^ky [NC,OR] #Kyrgyzstan Kyrgyz

RewriteCond %{HTTP:Accept-Language} ^tg [NC,OR] #Tajikistan Tajik

RewriteCond %{HTTP:Accept-Language} ^es\-cu [NC, OR] #Spanish Cuba (not sure if in use)

RewriteCond %{HTTP:Accept-Language} ^es\-ve [NC, OR] #Spanish Venezuela

RewriteCond %{HTTP:Accept-Language} ^ko\-kp [NC, OR] #North Korea (not sure if in use)

RewriteCond %{HTTP:Accept-Language} ^fa [NC, OR] #Iran Persian (Farsi)

RewriteCond %{HTTP:Accept-Language} ^ar\-sy [NC, OR] #Syria Arabic

RewriteCond %{HTTP:Accept-Language} ^ar\-ye [NC] #Yemen Arabic

RewriteRule ^(.*)$ /honeypot.php/ [NC,L] 

##### End -- Redirect Geo Conflict Hotspots To The Honeypot -- End #####

 

 

Web Site Referral Detection To Send Users from Specific Countries To Your Honeypot

Website referral detection through the .htaccess file can be used as an alternative or a supplement to IP address country identification.  The HTTP_REFERER attribute is passed from a users web browser when a user clicks on a link and that link takes the user to your website.  

The code below reads the HTTP_REFERER variable sent from the user's browser using the RewriteCond command. If a match is detected, the RewriteRule command virtually directs the user to your honey pot.  In this use case, the website owner wants to limit website traffic from U.S. Treasury sanctioned countries and countries involved conflicts. 

RewriteCond is looking to see if the referring website comes from a top-level country domain related to the countries that the website owner would like limit traffic from.

 

 

##### Start -- Redirect Geo Conflict Hotspots To The Honeypot -- Start #####  

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{HTTP_REFERER} \.ru$ [NC,OR] #Russia 

RewriteCond %{HTTP_REFERER} \.am$ [NC,OR] #Armenia

RewriteCond %{HTTP_REFERER} \.by$ [NC,OR] #Belarus 

RewriteCond %{HTTP_REFERER} \.kz$ [NC,OR] #Kazakhstan

RewriteCond %{HTTP_REFERER} \.kg$ [NC,OR] #Kyrgyzstan

RewriteCond %{HTTP_REFERER} \.tj$ [NC,OR] #Tajikistan

RewriteCond %{HTTP_REFERER} \.cu$ [NC,OR] #Cuba

RewriteCond %{HTTP_REFERER} \.ve$ [NC,OR] #Venezuela

RewriteCond %{HTTP_REFERER} \.kp$ [NC,OR] #North Korea

RewriteCond %{HTTP_REFERER} \.ir$ [NC,OR] #Iran 

RewriteCond %{HTTP_REFERER} \.sy$ [NC,OR] #Syria

RewriteCond %{HTTP_REFERER} \.ye$ [NC] #Yemen

RewriteRule ^(.*)$ /honeypot.php/ [NC,L] 

##### End -- Redirect Geo Conflict Hotspots To The Honeypot -- End #####

 

 

The working file is available for download here.  We welcome questions, comments, and thoughts on these techniques, reach out to the PCCS Labs Team at This email address is being protected from spambots. You need JavaScript enabled to view it.

About Private Client Cyber Security

Former U.S. defense industry cybersecurity executives founded PCCS after struggling to convince large cybersecurity companies to address the cyber risks of public persons and small sized business. 

PCCS provides enterprise-grade cybersecurity consulting and services to professional practices, executives, athletes, and high net worth families.

We strive to provide a personal, professional and a next-generation technology level of cyber protection to our clients. 

 

Twitter @PCCyberSecurity


RT @NCSCgov: #DataPrivacyWeek2022: Some governments are using commercial surveillance software to target dissidents, journalists, and other…

DHS Warns That Right-Wing Extremists Could Attack Power Grid https://t.co/A3HfruXHVo via @thedailybeast
Follow Private Client Cyber Security on Twitter

Search